The Implementation of GDPR in Greece – A Case Study

The implementation of GDPR in Greece - A Case Study

Fotis Zygoulis

DPO [ Municipality of Iraklio Attikis Greece ]

fotiszygoulis@gmail.com

fotiszygoulis@iraklio.gr

Page 1 / 18
 The Implementation of GDPR in Greece – A Case Study

Table of Contents
Introduction ............................................................................................................................... 3
Terminology and Theoretical Basis ........................................................................................... 4
Legal bases ........................................................................................................................ 4
The rights for individuals .................................................................................................. 4
Case Law in Greece.................................................................................................................... 7
Implementation Methodology .................................................................................................. 8
Case Study: the implementation of GDPR in the Municipality of Iraklio Attikis in Greece ....... 9
References ............................................................................................................................... 18

Page 2 / 18
 The Implementation of GDPR in Greece – A Case Study

Introduction

The implementation of the GDPR Law in Greece has allowed the emergence of specific
problems related to the levels of all Administrative Structures. In this draft we examine a
case – study concerning the implementation of GDPR Law in the Municipality of Iraklio
Attikis in Greece.

Page 3 / 18
 The Implementation of GDPR in Greece – A Case Study

Terminology and Theoretical Basis

The Directive’s full name is ‘Directive (EU) 2016/680 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to the processing
of personal data by competent authorities for the purposes of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal penalties, and on
the free movement of such data, and repealing Council Framework Decision 2008/977/JHA’.
It is more widely known as the Law Enforcement Data Directive and it focuses on the
protection of natural persons when their data is processed for preventing, investigating and
prosecuting criminal offences, governing law enforcement agencies and how they process
data in performing their tasks.

Legal bases

The six legal bases for processing data, as defined under Article 6 of GDPR, are:

 Performance of a contract
 Legal obligation
 Performance of a task in the public interest
 Consent from the individual
 Legitimate interest
 Protect the vital interests of an individual

The rights for individuals

The rights for individuals are established throughout the whole of Chapter III of GDPR, where
they are specified with stipulations regarding how and when organisations must honour
those rights, and some limitations to those rights.

GDPR establishes the right:

 of access to personal data or data about processing of personal data

 to portability (i.e. copies of personal data for the individual’s own use)
 to object to processing
 to restrict processing
 to erasure (you may have heard this called 'the right to be forgotten')
 to rectification (the correction of erroneous data)
 and the right to human-made decisions*

GDPR does not make specific law around cyber security, but it does require that data be
handled securely and gives some broad requirements on what that means. In recognition of
this, a reform of EU laws for ePrivacy is also underway. In line with the evolution of GDPR as
a regulation, an existing ePrivacy Directive is also being replaced by a new Regulation.
Known as the ePrivacy Regulation, this focus is on trust - by assuring the security and
confidentiality of data and meta-data as it is communicated.The new regulation will look to

Page 4 / 18
 The Implementation of GDPR in Greece – A Case Study

specify clearer rules to protect this data, conferring power for their enforcement on the
supervisory authorities.

GDPR is a good example of where a regulation allows a Member state to handle certain
aspects as part of their local statute, including drafting laws that defines a supervisory
authority and setting the age at which parentalconsent is not needed for children (though
no younger than 13, as we discussed earlier this week). The intention is for GDPR to work
with limited friction with existing laws and how Member States prefer to handle specific
affairs, where the Regulation allows this.

Case studies

Austria. Directive 95/46/EC was implemented in Austria by the Austrian Data Protection Act
2000. The new EU 2016 Regulation was due to take effect from May, 2018 and applies to
both the Controllers of Data and the Processors of data. While the Austrian Data Protection
Act continues, many of its provisions were modified to suit the new regulations. The Act was
well thought out and implemented and addressed all aspects of the new regulations -
sometimes even exceeding its requirements.

Spain. EU Data Protection Directive (95/46/EC) was transposed through the Organic Law of
Data Protection on December 1999. It comes into force in January 2000. The Organic Law
was developed through the Royal Decree-Law 1720/2007.
Data Protection Spanish Agency was established in 1994.
GDPR replaced these previous regulations.

Poland. GDPR replaced the previous act on personal data protection of 1997 which had been
implemented based on the 1995 directive. The EU regulations are binding directly with no
need to "implement" them to the legislation of said member country and so it functions in
Poland - GDPR is applied directly without any internal act that incorporates GDPR in parts or
in full. We have an act on personal data protection which replaced the previous act of 1997,
but it only contains the stipulations of organisational nature (like the status of supervisory
authority) or other left for the competence of member state jurisdiction.

Italy. It has implemented Directive 95/46/EC on data protection through Legislative Decree
No. 196/2003, the Italian Data Protection Code.
On the 8th of August 2018 has been approved the Italian privacy law integrating the GDPR.
The legislative decree integrating the GDPR has been published on the Official Gazette on
19/09/2018 and has been binding with effect from the 19th of September 2018. Rather than
removing the existing Italian Privacy Code, the government decided to amend the existing
Italian Privacy Code to align it to the GDPR and replacing whole sections by means of a cross-
reference to the GDPR.

France. It joined 11 EU countries in adopting national legislation necessary to implement and

supplement the EU's General Data Protection Regulation (GDPR) and Law Enforcement
Directive, which sets rules on the processing of personal data by law enforcement agencies
and intelligence services. Several aspects of the new laws take provisions of the GDPR into

Page 5 / 18
 The Implementation of GDPR in Greece – A Case Study

account. This includes by reconstituting the role of France's data protection authority, the
Commission Nationale de l’informationet des Liberties (CNIL). According to the new laws, a
child can give their consent to the processing of personal data with regard to the direct
provision of information society services from the age of 15. Where the child is under 15
years of age, processing shall be lawful only if consent is given jointly by the child and their
parent or guardian. Information society service providers must draft in clear and simple
terms, easily understandable by the child, information relating to the processing operation
concerning him or her.

Denmark. The Danish Parliament approved the Data Protection Act on May 23, 2018. The
law brings the country's data protection regime in line with the EU General Data Protection
Regulation. The age limit for consent from children in order to use information society
services (social media, apps, etc.) was lowered to 13 years.
Most important derogation (partial appeal) from the GDPR is that the act allows processing
of normal and sensitive data in connection with personnel administration on the basis of
legitimate interests that arises from legislation or collective agreements. This also applies to
public authorities which cannot normally rely on legitimate interest. About 80 data breach
notifications are received each week — making Denmark number one in the EU on the
number of reported breaches when the size of the population is taken into account.

Netherlands, the Dutch Data Protection Act (Wet beschermingpersoonsgegevens) was

entered into on 1 September 2001. The WBP implemented Directive 95/46/EU and was the
basis for secondary legislation, such as the Exemption Decree Data Protection Act
(VrijstellingsbesluitWbp) which exempted processing of data categories from the obligation
of advance notification (based on article 29 Dutch Data Protection Act) and the Law on Data
Breach Notifications (Wet
MeldplichtdatalekkenenuitbreidingbestuurlijkeboetebevoegdheidCbp) (based on article 43a
Dutch Data Protection Act). The GDPR Execution Act
(UitvoeringswetAlgemeneVerordeningGegegevensbescherming) became effective on 22
May 2018; the UAVG implements the GDPR and repeals the Dutch Data Protection Act . The
GDPR Adaptation Bill and GDPR Implementation Bill were still being finalised at the time the
UAVG was implemented.

Germany. The first country in the world to introduce law on Data protection
Datenschutzgesetzgebung (BDSG) in 1970. Germany has some of the strictest Data
protection laws in the world, but amendments to BDSG to take into account the provisions
of the EU Data Protection Directive October 1995 were not implemented into national law
until 2001.
With the introduction of GDRP, Germany has introduced the new German Privacy Act
(BDSG-new) which complements GDPR.

Who is affected?

Pretty much any EU citizen about whom personal data is captured, stored and used in any
way, as well as the people who are handling that data and the organisations they are
working for. Remember, this relates to customers, staff and legal entities and GDPR is extra-
territorial; in other words, it relates to data about EU citizens wherever it may be processed

Page 6 / 18
 The Implementation of GDPR in Greece – A Case Study

in the world. There are special provisions for children, to which we will refer you throughout
the course.

Responsibility tends to be spread across people who take on specific roles as defined by
GDPR, such as the datacontroller, but there are contractual responsibilities that will be held
by the people and organisations handling the data on behalf of the datasubject, as well as
any other people they subcontract to, referred to in GDPR as the data processor.

Ethics and confidentiality for instance are enshrined in other laws across Europe, usually as
a matter of Member State law and / or international principles and conventions.

The intention is that GDPR will work seamlessly with these existing laws, but when
understanding GDPR and its scope, it is important to make sure that you do not confuse
other laws and good practice with GDPR provisions – these are all intended to work
together.

The same is true for what Member State laws permit in terms of surveillance and monitoring
of individuals. What is specified in other laws regarding surveillance must be balanced with
the requirements of GDPR, but remember that one of the legal bases for processing relates
to legal obligation – where processing may proceed in line with other laws. Arguably, GDPR
provides a basis for Member States to better balance individual rights against other
surveillance laws where there are grey areas.

To illustrate what is meant by seamlessness in this context, alongside GDPR, the EU also
passed into law a new Directive that was designed to modernise data handling for judicial
and police services around Europe with direct reference to the principles and provisions in
GDPR.

Case Law in Greece

The GDPR repeals Directive 95/46 / EC, which was incorporated by the EU Member States,
in Greece by the Law 2472/1997. Under the draft law on the Greek Data Protection Act, Law
2472/1997 will also be abolished in its entirety.

In Greece, GDPR has not yet implemented by a law on the basis of law enforcement.
Unfortunately, Greece is among the last three EU countries that have not yet voted on a
GDPR implementing law. The Legislative Committee had delivered the relevant draft law to
the Minister a year ago. After the completion of the relative consultation, a reformulated
version of the draft will be submitted on the basis of the comments that emerged from the
consultation.

Nevertheless, there has been no news concerning the fate of the necessary bill until the end
of last November 2018, when the Legislative Committee was reassembled at the initiative of
the new Minister of Justice with the addition of new members. At the beginning of January
2019, Mrs. Mitrou submitted her resignation and the new committee, chaired by Mr

Page 7 / 18
 The Implementation of GDPR in Greece – A Case Study

Philipoulos has a deadline to deliver a new draft on the implementation of the GDPR Law by
the end of February 2019.

Moreover, the absence of relative national implementing legislation creates a legal

uncertainty over the scope of the Greek Law 2472/97, the national data protection law,
since most of its arrangements have been replaced by those of the GDPR Regulation but
have not, of course, been abolished yet and some of its arrangements still applies on the
Greek National Law System. It is obvious that individuals, businesses and the public sector
need clarity and certainty. To be more specific, in the absence of national legislation, no
'compliance' of GDPR is meant to be comprehensive at all.

Implementation Methodology

In all Greek Public Organizations and particularly in the Greek Municipalities, an attempt has
been made to integrate the GDPR with a specific methodology that involves the recruitment
of outsourced specialized consultants on this issue.

The methodology followed:

Deliverable 1:

Existing Status Assessment through: Mapping - Gap Analysis - Risk Analysis:

It concerns the evaluation of the Current Situation by mapping it (Data Mapping) in relation
to the Municipality's readiness to apply the new General Regulation for the Protection of
Personal Data by applying, investigating the deviations of the operation from the Regulation
- Gap Analysis.

More specifically, identifying the personal data managed by the Municipality, identifying
those categories and the categories of those subjects related to personal data, and then
analyzing all the processes related to them, using a flow chart / study of data and processes
to represent them in the framework of this correlation.

Next, and on the basis of this analysis, a comparison will be made in relation to the articles
of the Regulation and its paragraphs in order to succeed the needed compliance with the
Regulation and in the framework of drawing up a list of deficiencies, risks and compliance
requirements - Risk Analysis,

Finally, we follow the Data Protection Impact Assessment assessing the data protection
implications for identifying the most important risks.

Deliverable I (P-I): (I.1.): Data Mapping / Gap Analysis Report, (I.2.) Risk Analysis Report, (I.3.)
Impact Assessment Report

Page 8 / 18
 The Implementation of GDPR in Greece – A Case Study

Deliverable II (P-II): Design, Development and Adoption of the Information Security System -
GDPR Compliance Plan Compliance Plan - GDPR (Compliance Plan)

During this stage, an Information Security System will be developed and adopted, as well as
the GDPR Compliance Plan (GDPR Compliance Plan).

The latest Action Plan to be complied with will be an integrated methodology of action,
detailed at each step, which, if executed as a whole, will result in the Municipality’s
compliance with the Regulation. The GDPR Compliance Plan includes, among other things: -
the development of a manual of policy - staff training – development an ISO 27001
information security management system.

Deliverable II (II-II):

(II.1.) Data Security Management Framework, Information Security System

(II.2.) Compliance Plan in GDPR Compliance Plan

Case Study: the implementation of GDPR in the Municipality of Iraklio

Attikis in Greece

In the Municipality of Iraklion Attikis, an attempt has been made to incorporate the GDPR
by adopting a full implementation of the legislation and the appointment of a DPO.

Particularly, the following policy has been adopted:

1. Data Policy of the Local Government Organization of the Municipality of Iraklion Attikis,
Greece

The data (in physical and digital form) are critical data for the Municipality of Iraklion Attikis,
and their proper handling is necessary for their use, processing, storage, deletion processes
and the procedures taken to identify new collections of data and justify the continuation of
existing ones.

The Data Policy of the Municipality of Iraklion Attikis includes the collection and processing
of personal, financial information if one or more of the following conditions are met:

• Data collection contains sensitive information.

• The Municipality of Iraklion Attikis has a strategic need for information and data.

• Data collection is used in a service provision.

• Requirements for legislative requirements, obligations and regulations.

Page 9 / 18
 The Implementation of GDPR in Greece – A Case Study

The data must be collected in such a way that the rights and privacy of the subject are taken
into account, in accordance with the GDPR regulations. When third parties, collectors collect
data for the Municipality of Iraklion Attikis, or acquire data, an agreement must be
developed between the Municipality of Iraklion Attikis, and the external partner, ensuring
the confidentiality and the security of the data. To that end, the DPO of the Municipality
should be informed in any case of the drawing up and monitoring of this contract.

A contract must include the following:

• Ownership of the data

• Types and categories of personal data - Object, nature and purpose of the whole
processing

• Obligations and rights

• Data storage and security

• Retention of data

• Organization Audit Requirements

• Destruction of data after termination of the contract

Depending on the level of confidentiality and criticality, data can classified into the following
categories:

Public use: fewer security controls, unrestricted

Internal use: internal needs, third party access

Confidential use: legislative acts, regulations, contracts

Particular use: special safe handling is required

The categorization of data in the Municipality of Iraklion Attikis is a result of collaboration

between the Directorates and the DPO in the context of the implementation of the GDPR
legislation. Confidential, personal data is the most important level of data categorization and
requires more attention in the process of processing. This kind of data must be processed
only by qualified personnel. The retention period of these data should be as small as
possible to minimize the risk of leakage and disclosure.

All personal data must have a data Keeper - holder. It is forbidden to print documents that
are classified as confidential, unless it is necessary. When they are destined to be destroyed,
they must not be able to be recovered (physical form) or deleted in a secure manner (digital
form).

Page 10 / 18
 The Implementation of GDPR in Greece – A Case Study

Where required by a law or a contract, the Municipality of Iraklion Attikis, should provide
information to interested parties for the purposes of the processing of their personal data.
The notification to the data subject must be no later than:

• The moment of the first communication.

• One calendar month from the first collection of personal data.

• At the time of disclosure, unless a legal notice already exists or a legal exemption is in force
for the disclosure requirements

The Municipality of Iraklion Attikis should receive personal data by legal and fair means and,
where appropriate, with the knowledge and consent of the data subject. Consent must be
documented. It must be given for each specific function and purpose of the processing and
the data subject must be able to withdraw the consent as easily as they gave it. When there
is a need to request and obtain the consent of a person prior to the collection, use or
disclosure of their personal data, the Municipality of Iraklion Attikis, should seek to obtain
such consent.

The Municipality of Iraklion Attikis must be able to prove that the data subject:

• Has explicitly given its consent to the processing of their personal data

• Has consented to the processing of their personal data for one or more specific reasons.

• The consent form is understandable, easily accessible and easily distinguishable from any
other subject related to the data subject.

• The data subject has been informed of the right to withdraw their consent at any time.

The City of Iraklion Attikis must be able to prove that the data subject has the right
to withdraw their consent at any time (In this case, the data subject must request the
withdrawal of consent). While processing of data has multiple purposes, the Municipality of
Iraklion Attikis, must be able to demonstrate that the withdrawal of consent is valid for all
the specific purposes. For the access procedure, the data subject must provide the
appropriate evidence, identity card, valid passport or driving license. The date, the
identification checks and the type of data requested should be recorded. The Municipality of
Iraklion Attikis, Attica, has a month from the date of the application to provide the
requested information. The request for access shall be forwarded to the Data Protection
Officer, who shall ensure that the requested data is collected within the time frame.

The Municipality of Iraklion Attikis uses personal data for specific purposes in order to
provide and / or manage functions and services. Every department of the Municipality of
Iraklion Attikis, will process the personal data in accordance with all applicable laws,
obligations, contracts and regulations. Processing involves the execution of any act in data,

Page 11 / 18
 The Implementation of GDPR in Greece – A Case Study

in particular: collecting, storing, organizing, changing, acquiring, recording, maintaining,

correcting, organizing, retrieving, using, disclosing, transferring, disposal, erasure, or
destruction. Data protection must be ensured during the processing activities through the
application of "appropriate technical and organizational measures". These safeguards must
be applied while determining the processing method and the actual time of the data
treatment. Technical and organizational security measures are encryption, confidentiality of
the pseudonymization system, integrity and durability, and regular testing.

The data subject has the right of access to know the purposes of the data processing, the
categories of processed personal data, the recipients or the categories of recipients who will
disclose the data, how long the data will be stored and their right to correction or delete.

Personal data will not be processed unless one of the following conditions is met: The data
subject has given their consent to the processing for one and / or more specific purposes. -
Processing is necessary for the execution of a contract where the subject is part or will be on
completion of relevant actions - Processing is necessary for the exercise of public authority -
Processing is necessary, through a legal obligation.

The Municipality of Iraklion Attikis, will inform individuals about the collection and use of
their personal data, including the purposes and legal basis of processing, transport and
retention periods. The Municipality of Iraklion Attikis should provide access to the data. The
subject's access requests must be recorded and an appropriate action must be taken within
specific time limits. Data subjects have the right to receive confirmation regarding the
processing and copying of their personal data. The data subject may apply for a correction in
case of inaccurate, incomplete or new personal data. The answer should be given within one
month to any reasonable request for correction. The data subject has the right to request
that the processing of his or her personal data be restricted. Once the right is exercised, only
data storage is allowed. The data subject has the right to oppose the processing of his or her
personal data. The response will be immediately applicable and the Municipality of Iraklion
Attikis will no longer process personal data, unless legitimate reasons prevail, overriding the
interests and rights of the subject. The subject of the data should be informed by the
Municipality when its data are subject to automated processing, decision making
(automated means: without human intervention) and profile preparation (automated
processing). Data subjects have the right to require the deletion of their personal data and
their deletion from the processing process under certain circumstances.

Children's personal data should have additional technical safeguards when services are
offered directly to children. (Especially in cases handled by the Social Policy Department of
the Municipality).

2. Compliance Measures taken by the Municipality of Iraklion Attikis

The Municipality of Iraklion Attikis will adopt the procedures to ensure the exercise of the
data subjects' rights. In particular, Article 12 of the GDPR provides arrangements for the
fundamental rights of the data subjects, namely the right to information, access, correction,
as well as the right to oblige, limitation of processing and opposition. In this regard, the

Page 12 / 18
 The Implementation of GDPR in Greece – A Case Study

Municipality of Iraklion Attikis will adopt these measures in order to be able to respond to
the requests of the data subjects.

An archive of processing activities will be set up in the Municipality of Iraklion Attikis,

because the organization employs at least 250 people, as well as process that include special
categories of data (Article 9 of the GDPR). Moreover, this duty of the specialized controller is
expressly reflected in Article 30 of the Personal Data Protection Regulation. This "File" is a
document list of all the services of the Municipality with a reference to data for each "filing
system" and for each "automated processing" of personal data it carries out. Failure to keep
a record of processing activities by the Municipality of Iraklion Attikis , Attica, risks being
unable to demonstrate its compliance with the GDPR if requested (Article 5 (2) "principle of
accountability "). An archive system is defined as any structured set of personal data that is
accessible according to specific criteria, whether it is centralized, decentralized or
distributed on an operational or geographic basis (Article 4, Art. 6 of the GDPR). This record
will be prepared by the DPO [ Mr. Fotis Zygoulis ]in cooperation with all the Directorates of
the Municipality of Iraklion Attikis.

In accordance with Article 26 of the GDPR, all stakeholders that will jointly define the
purposes and the means of processing will also be treated as joint data controllers.
Furthermore, in this respect, joint data controllers shall clearly define their respective
responsibilities for compliance with obligations under the GDPR Regulation, in particular as
regards the exercise of the rights of the data subject and their respective duties. Therefore,
the data subject can exercise his or her rights against and against each of the controllers.
Therefore, the Municipality of Iraklion Attikis, as a data processor when signing contracts
with third parties must indicate its obligations under Article 26 of the GDPR. Another
example of joint data controllers in cases where the City processes personal data through
platforms of Ministries is the KEP Directorate (e.g. HERMES platform).

Particularly speaking for the processing of data of sensitive social groups in the Municipality
of Iraklion Attikis handled by the Social Policy Department, it is necessary to adopt a strict
framework for the processing of sensitive personal data, since they reveal racial or ethnic
origin, political opinions, religious or philosophical beliefs or trade union membership, as
well as genetic and biometric information, as well as information on health, sexual individual
vivo or sexual orientation.

At this point, special mention should be made in cases where the complaints are submitted
to the municipality through the telephone number of the latter for the citizens (case of the
gov.e-irakleio.gr platform). The Municipality of Iraklion Attikis , Attica, before collecting the
personal data of the individual subjects, will inform them about the purpose of processing
their data. This suggestion is not limited to the telephone complaints of the subjects but is
applicable and in any case the Municipality processes the personal data of the subjects by
telephone.

Page 13 / 18
 The Implementation of GDPR in Greece – A Case Study

3. Role of the DPO in the Municipality of Iraklion Attikis,

The DPO plays a key role in developing a culture of data protection within the Municipality
of Iraklion Attikis, and contributes to the implementation of essential elements of the GDPR,
such as the principles of data processing, the rights of data subjects, data protection already
in design and by definition, records of processing activities, security of personal data and
disclosure and communication of data breaches (Articles 25, 30, 32, 33, 34).

Pursuant to Article 38 of the CPC, the data processor and the data controller shall ensure
that the DPO is duly and timely involved in all matters relating to the protection of personal
data.

Article 38 (3) refers as follows: "The DPO does not receive instructions to carry out his/her ...
duties." Furthermore, it states that the DPOs "whether or not they are employees of the
Municipality, they must be able to carry out their duties and tasks in an independent
manner. "

The opinion of the DPO is requested in the following cases:

Performing an impact assessment on data protection

Choice of methodology for impact assessment on data protection

Selection of organizational safeguards and techniques to mitigate risks to the rights of data
subjects

Under Article 39 (2), the DPO 'shall take account of the risk associated with the processing
operations, taking into account the nature, scope, purpose and purpose of the processing'.

The DPO of the Municipality of Iraklion Attikis is not personally liable for non-compliance
with data protection requirements. Compliance with the protection rules is the
responsibility of the data controller or the data processor inside the Municipality of Iraklio
Attikis in Greece.

Templates of incorporation of the Legislation in the documents of the

Municipality of Iraklion Attikis,

Standard in general

The purpose for which the subject's data will be used should be entered in the
"import target" field.

Example:

Page 14 / 18
 The Implementation of GDPR in Greece – A Case Study

In the application form for the "Renewal and Examination of the Trade and
Commerce Exercise License", the phrase concerning Law 4497/2017 will be added,
which will take the following final form:

"The municipality of Iraklion Attikis informs that, according to Article 6.1 (e) of
Regulation (EU) 2016/679 (General Data Protection Rule), the processing of the
personal data of that subject is necessary for the performance of a task which is
carried out in the public interest or in the exercise of the public authority assigned to
the controller, namely the Municipality of Iraklion Attikis , and in this case the
renewal / approval of a trade license, based on the Law 4497/2017 as in force. "

In this example, the scope: processing purpose is: and in this case the renewal /
approval of a permit for outdoor trade under the provisions of Law 4497/2017,

The above standard applies to all addresses of the Municipality of Iraklion Attikis
according to the purpose of the processing of its transactions with citizens and
institutions in which personal data is subject.

Statement of consent and compliance text

It is noted that it is not necessary for the moment to include a statement of consent
in the documents of the Municipality of Iraklion Attikis, regarding its transactions
with the citizens. On the contrary, the above-mentioned text of compliance-inclusion
in the official documents is considered necessary and obligatory for all the
Directorates of the Municipality of Iraklion Attikis.

At the same time it is necessary to place a legal disclaimer and mention the cookies
policy on the website of the Municipality of Iraklion Attikis, as well as the disclaimer
of personal data in the signing of the employees of the Municipality of Iraklion Attikis
, Attica, when using their official email. This model will be developed in cooperation
with the Head of the Department of Informatics in the Municipality of Iraklio Attikis.
This requires changes to the conditions of use of the media.

Page 15 / 18
 The Implementation of GDPR in Greece – A Case Study

Compliance forms

Consent Receive Form

Consent Form

Consent Guaranty Form for a Child

Consignment Form for Guarding a Child

Vendor Processing Agreement

Application Form for Access to Personal Data

Steps of compliance

The steps taken in compliance with the Municipality of Iraklion Attikis are as follows:

Definition of Data Protection Officer

Data mapping, Data Flow,

Risk Assessment and Gap Analysis

Improvement of Data Protection Impact Assessment, if required

Revision of policies and procedures (Security Policy, Process Re-Engineering)

Exploitation of IT technology and tools (Firewalls / AVs, CRMs / Work Flow

Applications, Encryption, Cloud ...)

Developing Supervisory Authority Notification Procedures and Notification

Procedures

Test Systems and Procedures (GDPR Audit)

Continuous monitoring and updating of processes and systems (Monitoring, Review)

Employees training

Informing all the staff of the Municipality of Iraklion Attikis , Attica for the new
regulation

Page 16 / 18
 The Implementation of GDPR in Greece – A Case Study

The CPC is not only archives, policies and procedures, but adopts a new
organizational culture in the Municipality of Iraklion Attikis , Attica.

Problems of GDPR implementation In the Municipality of Iraklion Attikis:

The problems are related to the general delay in the implementation of European
legislation in Greece. More specifically:

1. There is no culture of implementation of such legislation in the municipality of

Iraklion Attikis in Attica and it needs staff training

2. The DPO has no legal and administrative powers but he only has a consultative
role.

3. There is no conciliation between the services of the Municipality and executives of

the Greek Independent Authority for the Protection of Personal Data due to the
workload of the latter

4. There is no logistical infrastructure for an electronic platform infrastructure to

ensure the implementation of this legislation

Page 17 / 18
 The Implementation of GDPR in Greece – A Case Study

References

1. GDPR LAW https://eur-lex.europa.eu/eli/reg/2016/679/oj

2. GDPR Compliance Texts of the Municipality of Iraklio Attikis in Greece
3. www.iraklio.gr

Page 18 / 18